CVE-2025-30355 is a high severity vulnerability with a CVSS score of 7.5. No known exploits currently, and patches are available. This is classified as a zero-day vulnerability.
Lower probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.
Fixed in Synapse v1.127.1.
Closed federation environments of trusted servers or non-federating installations are not affected.
If you have any questions or comments about this advisory, please email us at security at element.io.
| Vendor | Product |
|---|---|
| Matrix | Synapse |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.